Roles - ability to set them "read-only" when setting them public

On our radar

When you set roles public every espace is allowed to grant/revoke them.

This is not very handy when you have 2 applications which have the same userprovider yet have different roles alltogether (but need the roles to be public because it's shared over a couple of modules)

So, same as entities you can choose how you want them make public. This way you can force one module to be responsible if the user can be allowed to grant/revoke them to a specific user!

Created on 7 Oct 2016
Comments (5)

Had the same thinking last week, good one!

Still no news on this, but it's something I'd really dig. Sometimes, for simpler roles schemes, I even expose my own role checking wrapper actions to the frontends, so that the grant/revokes are hiden. 

But can't you still grant (and revoke) the role directly by creating/deleting the relevant entity record(s) (i.e. User_Role, User_Effective_Role)?...

That already sounds as a workaround Jorge.

What I'm saying is that this feature would need to be powerful enough to stop that kind of workaround (read-only roles should not be modifiable using SQL statements either), otherwise it's not that consistent and useful in restricting control is it?